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Prologue:  1979 


“Why  should  we  look  to  the  past  in  order  to  prepare 
for  the  future?  Because  there  is  nowhere  else  to 
look.” 


James  Burke, 
Connections 


http://upload.wikimedia.org/wikipedia/en/archive/2/2e/201 301 24220825!  James 
_Burke_%28historian%29.jpg 
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Prologue:  1886 


http://en.wikipedia.Org/wiki/File:%27Robur_the_Conqueror%27_by_L%C3%A9on_Benett_01.jpg 
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http://upload.wikimedia.Org/wikipedia/commons/3/3d/%27Robur_the_Conqueror%27_by_L%C3%A9on_Benett_14.jpg 
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Prologue:  1890 


http://en.wikipedia.0rg/wiki/File:Daniel_Burnham_cl  890.jpeg 
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Prologue:  1893 


http://www.bc.edu/bc_org/avp/cas/fnart/fa267/1 893/1 893_02.jpg 
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Prologue:  1900 


http://explorepahistory.com/displayimage. php?imgld=1-2-A46 
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1901-1902 


http://en.wikipedia.org/wiki/File:Flatiron_Building_Construction,_New_York_Times_-_Library_of_Congress,_1 901 -1902_crop.JPG 
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Dropping  40kDay 


The  Flat  Iron  Building  in  New  York  City  is  vulnerable 
to  denial  of  service  or  complete  system  destruction 
due  to  inadequate  defenses  against  the  kinetic  and 
chemical  energy  of  315,000  lbs  of  aluminum 
containing  16,000  gallons  of  kerosene  impacting  at 
500  mph. 


Base  Score  Metrics 


CVSS  Base  Score:  6.5 

(AV:A/AC:H/Au:N/C:P/l:C/A:C) 


Access  Vector  (AV)* 


I  Local  iAVil} 

Adjacent  Network  (AV^A) 

1  Network  {AV:N)  I 

Access  Complexity  (AC)* 

High  CAC:H) 

Medium  {AC:M)  || 

Low  (AC:L> 

Authentication  (Au)* 

Multiple  (Au:M)  ||  Single  (Au;S] 

*  -  All  base  metrics  are  required  to  generate  a  base  score. 

Impact  Metrics 


Confidentiality  Impact  (C 

Partial  (C:P) 

Complete  l[C:C] 

Integrity  Impact  (I)* 

None  (I:N)  Partial  (I:P)  | 

Campieite  (1;G}  1 

Availability  Impact  (A)* 

None  (A:NJ  ||  Partial  tA:P> 

Camplete  (AsC) 
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Temporal  Score  Metrics 


Exploitability  (E) 


Not  Defined  (E:ND}  | 

Un prawn  that  exploit  exists 

Functional  exploiit  exists  {  E:F}  HIgli 

Remediation  Level  (RL) 

Plot  Defined  (RL:PID} 

OfndalflK  (RL;OF}  ||  Temporary  fix  [RL:T}  ||  Workamund  (RLW) 

Unavailable  (RL:ll) 

Report  Confidence  (RC) 


Plot  Defined  (RC:ND] 

Unconfirmed  (RCieUC) 

Uncorroborated  [RC:UR] 

Ccnfirmed  IRC:C} 

Environmental  Score  Metrics 


General  Modifiers 


Collateral  Damage  Potential  (CDP) 

Not  Defined  (CDP-ND) 

Plone  CCDP:N) 

Low  Uight  loss)  (CDP:L> 

Low-Mediiim  CCDP:LM> 

Mediiam-Hlgh  (CDP:MH> 

High  (cBtastraphIc  loss)  (CDF;H) 

Target  Distribution  (TP) 


Not  Defined  (TDjND) 

None  (TD:N]| 

Low  [0-25'M)]  CTD:L) 

Medium  [26"75«Ms]  (TDjM) 

High  [7G-iaD<lfa]  (TD;H} 


Impact  Subscore  Modifiers 

Confidentiality  Requirement  (CR) 


Not  D  efin ed  (€  R:  N  D)  ||  Low  {  CR:  L) 

Medtifm  («:«) 

High  {CR:H} 

Integrity  Requirement  (IR) 

Not  Defined  (IR:ND)  ||  Low(m:L}  || 

Medium  (IR:MI>  || 

High  (1R:H)  1 

Availability  Requirement  (AR) 

Not  Defined  (AR:ND>  ||  Low  CAR:L] 

1  Medium  (AR:M) 

High  (AR:H) 
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Common  Vulnerability  Scoring  System  Version  2  Calculator 


This  page  shows  the  components  of  the  CVSS  score  for  example  and  allows  you  to  refine  the  CVSS  base  score.  Please  read  the  CVSS 
standards  cuide  to  fulJy  understand  how  to  score  CVSS  vulnerabilities  and  to  interpret  CVSS  scores.  The  scores  are  computed  in  sequence 
such  that  the  Base  Score  is  used  to  calculate  the  Temporal  Score  and  the  Temporal  Score  is  used  to  calculate  the  Environmental  Score. 


Base  Scores 


Temporal 


Environmental 


Overall 

10.0 


а.  0-1 

б. 0  - 
4.0- 
2.0  - 
0.0 


Environmental  Modified  Impact 


Overall 


Base  Impact  EKpSoltabllity  Temporal 

CVSS  Base  Score  6.5 

Impact  Subscore  9.S 

Exploitability  Subscore  3.2 

CVSS  Temporal  Score  5 

CVSS  invironmental  Score  7.6 

Modified  Impact  Subscore  10 

Overall  CVSS  Score  7.6 

Show  Equations 

CVSS  v2  Vector  f  AV: A/AC:  HMu :  M/C :  P/I:C/A:C/E :  U/RL. U/RCt  UC/CDP:  H/TD :  H/CRr  M/IR:  H/AR:  H ) 


http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:A/AC:H/Au:N/C:P/l:C/A:C/E:U/RL:U/RC:UC/CDP:H/TD:H/CR:M/IR:H/AR:H) 
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1904 


http://en.wikipedia.org/wiki/Master_of_the_World_%28novel%29 


http://www.julesverne.ca/images/book/illustratrations/Maitre%20du%20Monde 

_image%20epouvante%20over%20niagara_detail.jpg 
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1906 


I  found  myself  agape,  admiring  a 
sky-scraper,  the  prow  of  the  Flat¬ 
iron  Building,  to  be  particular, 
ploughing  up  through  the  traffic  of 
Broadway  and  Fifth  Avenue  in  the 
afternoon  light. 

H.G.  Wells,  1906 


'CERT 
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1915 


Software  Engineering  Institute 


http://www.pinterest.eom/pin/432275264204090218/ 

!^k*llcHi  Uiiiwrsily 


21 


Shortly  thereafter 


http://ephemeralnewyork.files.wordpress.eom/2009/08/flatironbuildingpostcard.jpg 
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1918 


http://en.wikipedia.org/wiki/File:Hannover_CL_llla,_Forest_of_Argonne,_France,_1 91 8_%28restored%29.jpg 
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1939 


■- 

■  ;‘y  -'?*/■.’■■-■;; 


http://en.wikipedia.org/wiki/File:B-25G_Mitchell,_AAF_TAC_Center, _Florida_-_040315-F-9999G-005.jpg 
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1939 


http://www.nationalmuseum.af.mil/shared/media/photodb/photos/060720-F-1234P-001.jpg 
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1945 


http://en.wikipedia.org/wiki/File:Empirestate540.jpg 
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The  view  from  here 
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1946 
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^  Temporal  Score  Metrics 


Explortabilitv  (E)  | 

1 

1  Nat  Defi  ned  (E:;IND}  ||  Un proven  that  exploit  exists  CE:u| 

□ 

Proof  of  concept  code  (E:POG] 

3 

inctTonaJ  explant  exists  {E:F)  Hlgli  CE;ll]l 

Remediation  Level  i 

m  ' 

EE 

■ 

1 

1  Not  DefTned  (RL^NID) 

Dfflci  a  1  fix  (  RL:  OF]  Te  m  po  ra  ry  fl 

Workarauiid  (RL^W) 

1  %}na^ 

pliable  (RL;y) 

Mot  DefToed  CRC:N  D) 


Uritccinflrmed  (RC:  fC) 


Conimied  IRC-.C} 


Common  Vulnerability  Scoring  System  Version  2  Calculator 

■Riis  page  shows  the  components  oF  tJie  CVSS  score  for  example  and  allows  you  to  reRne  the  CVSS  base  score.  Please  read  the  CVSS 
standards  guide  to  fully  understand  how  to  score  CVSS  vulnerabilities  and  to  interpret  CVSS  scores.  The  scores  are  computed  in  sequence 
such  that  the  Base  Score  is  used  to  calculate  the  Temporal  Score  and  the  Temporal  Score  is  used  to  calculate  the  Environmental  Score. 


Base  Scores  Temporal  Environmental  Overall 

lO.O- 
8.0- 
6.0- 
4,0- 
2,0- 
0,0  • 


CVSS  Base  Score 
Impact  Subscore 
Exploitability  Subscore 
CVSS  Temporal  Score 
CVSS  Environmental  Score 
Modified  Impact  Subscore 

Overaii  CVSS  Score 

Show  Equations 


r 


Base  Impact  Exploitability  Tempo  ml  Environmental  Modified  Impact  Overall 

CVSS  v2  Vector  f  AV:  A/AC:  H/Au :  N/C:  P/I:C/A:C/E :  POC/RL:  W/RCt  UR/CDP:  H/TTJ :  H/CRr  M/IR:  HMR:  HI 


6.5 

9.5 
3.2 


5.3 


7.8 

10 


7.8 
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Disclaiming  Responsibility  for  the  Fire 

(Verses  1  -4  go  here) 


TH» 


Richaf 4  ^  ^V»w  f g  a' 

Tc»Tor  On  '  nc  _  ^ 

HypoJt"" 

Be'""  l!nJ«  Mi 

:  U  .\n>  "»« 

’:^r  c  a« 


http://eil.com/shop/moreinfo.asp?catalogid=76681 
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1963 
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Basic  attack  tree 
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1967 


http://en.wikipedia.org/wiki/Apollo_1  #mediaviewer/File:Apollo_1  %27s_Command_Module_-_GPN-2003-00057.jpg 
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Q 
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FAULT  TREE  FOR  SAFETY 


MING  AEMPAGE  tmm 

F|€SLAACM  AMD  iMGCNE^HIH^  GIVri&tOM 
££ATTMj  MASHIIH&TQH 
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1970 


FEDEKAL  AVTATTON 
ADMINISTRATION  (FAA) 
SYSTEM  SAFETY  HANDBOOK 


http://www.barnesandnoble.eom/w/federal-aviation-administration-system-safety-handbook-federal-aviation-administration/1118719983 
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1978 


http://www.boeing.com/boeing/commercial/767family/ 
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http://phil. cdc.gov/phil/details. asp?pid=1 1 94 
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1981 


NUREG-04gi2 


Fault  Tree  Handbook 


Nutlear  R«^lalory 

CamnilfiEiofi 


http://www.barnesandnoble.eom/w/fault-tree-handbook-us-nuclear-regulatory-commission/1 113865485 
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Rock  and  Roller  Cola  Wars 


burning 


WE  DID 


T«» 


That  ain't  right.  All  you 
gotta  do  is  !@#$  up  one 
word  in  that  song  and 
it's  a  train  wreck. 


^  Mctjl.  iOlCldC. 

HypO<JC>"' 

R'srA'*' 

T,Vc  It  ,  , 

yVcJtdOt'>f‘' Id' 


http://eil.com/shop/moreinfo.asp?catalogid=76681 


http://www.rollingstone.com/music/videos/watch-billy-joel-forget-the-lyrics-to- 
we-didnt-start-the-fire-2Q  1 4Q3 1 4 
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1984 


http://www.bhopal.net/what-happened-in-bhopal/ 
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1986 


This  very  complex  and  costly  "fault  tree  analysis" 
suggests  ways  to  avoid  those  sequences  [that  could 
cause  accidents]... Bill  J.  McCarty,  who  oversees 
safety  analysis  at  NASA... said  the  fault  tree  method 
was  not  applied  to  the  rocket  boosters  pefore  the 
apcident  and  is  just  now  being  used  to  check  whethenJ 
the* agency  missed  any  potential  causes  of  I 

failure. ..He  and  others  in  the  agency  s  ood  behind  ■ 
their  methods.  "We  have  done  an  excellent  job  in  I 
ferreting  out  the  weaknesses,"  Mr.J/IcCarty  said.  I 


Nevertheless,  some  of  the 
foremost  experts  on  risk  said  that 
NASA's  method  was  more  likely  to 
miss  critical  failure  sequences 
because  it... depends  on  those 
doing  the  study  to  know  the  system 
so  well  that  they  can  make  sound 
judgments  in  determining  which 
components  are  most  likely  to  fail. 


the  fault  tree  method  was  not 
applied  to  the  rocket  boosters 
before  the  accident  and  is  just 
now  being  used  to  check 
whether  the  agency  missed  any 
potential  causes  of  failure 


http  ://commons.wikimedia.org/wiki/File:Space_Shuttle_Challenger_(04-04-1 983).  JPEG 
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1988 


http://firesafetynation.com/images/2%281%29.jpg 
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1992 


P.t-riHICll 


Process  Safety 
Management 


IJ.i).  Dep^nmen^  of  Isshor 

JjafeEV  iuii  IsdLfsti  AJtriiili5;'rjii6ii 

(■JSH.A.1I.'; 

2(1111  h.Keprimd) 


http://www.amazon.com/Process-Safety-Management-Department-Labor/dp/1478114207 
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Attack  Trees 

Dr,  Dobb's  Journal  December  1999 

Modeling  security  threats 

By  Bruce  Schneier 

Few  people  truly  understand  computer  security,  as  illustrated  by  computer-security  company 
marketing  literature  that  touts  "hacker  proof  software  "  "triple-DES  security,”  and  the  like,  in  truth, 
unbreakable  security  is  broken  all  the  time,  often  in  ways  its  designers  never  imagined.  Seemingly 
strong  cryptography  gets  broken,  too.  Attacks  thought  to  be  beyond  the  ability  of  mortal  men  become 
commonplace.  And  as  newspapers  report  security  bug  after  security  bug,  it  becomes  increasingly 
ciear  that  the  term  ''security"  doesn't  have  meaning  unless  also  you  know  things  like  "Secure  from 
whom?"  or  "Secure  for  how  iong?" 

Clearly,  what  we  need  is  a  way  to  model  threats  against  computer  systems.  If  we  can  understand  alt 
the  different  ways  in  which  a  system  can  be  attacked,  we  can  likely  design  countermeasures  to  thwart 
those  attacks.  And  if  we  can  understand  who  the  attackers  are  -  not  to  mention  their  abilities, 
motivations,  and  goals  -  maybe  we  can  install  the  proper  countermeasures  to  deal  with  the  real 
threats. 

Enter  Attack  Trees 

Attack  trees  provide  a  formal,  methodical  way  of  describing  the  security  of  systems,  based  on  varying 
attacks.  Basically,  you  represent  attacks  against  a  system  in  a  tree  structure,  with  the  goal  as  the  root 
node  and  different  ways  of  achieving  that  goal  as  leaf  nodes. 
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“This  technical  note  describes  and 
illustrates  an  approach  for  documenting 
attack  information  in  a  structured  and 
reusable  form. 


Attack  Modeling  for 
Information  Security  and 
Survivability 


We  expect  that  security  analysts  can  use 
this  approach  to  document  and  identify 
commonly  occurring  attack  patterns,  and 
that  information  system  designers  and 
analysts  can  use  these  patterns  to 
develop  more  survivable  information 
systems.” 


Technical  Note 

CIVIU/SEI-2001-T1SI-001 


Andrew  P.  Moore 
Robert  J.  Ellison 
Richard  C.  Linger 

Man::h  2001 
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http://en.wikipedia.org/wiki/File:World_Trade_Center, _New_York_City_-_aerial_view_%28March_2001%29.jpg 
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CVSS  v2  2001 


Temporal  Score  Metrics 


Exploitability  (E) 


Mot  Defined  (E;ND] 


High  tEiH) 


Unproven  that  exp  To  it  exists  tE:U) 


Proof  of  concept  code  {!E:POCJ 


Functlanal  exptoit  exists  (E;F) 


Remediation  Level 


CRL) 


Not  Defined  (RL:ND] 


Official  fix  (RL:f  F] 


I 


Tempo  re  rY  fix  (RLiT) 


Worlamund  (RL:W] 


yneveileble  (RL;U] 


Report  Confidence  ( 

«>.;  ^  1 

1 

■ 

r^Dt  Defined  (RC:ND] 

Unconfirmed  {RCiUC} 

Uncorroborated  (| 

lc:UR] 

Confirmed  (RCzC) 

-J 

Common  Vulnerability  Scoring  System  Version  2  Caiculator 

Tfiis  page  shows  the  components  of  the  CVS 5  score  for  example  and  allows  you  to  refine  the  CVSS  base  score.  Please  read  the  CVSS 
standards  guide  to  fully  understand  how  to  score  CVSS  vulnerabilities  and  to  interpret  CVSS  scores.  The  scores  are  computed  in  sequence 
such  that  the  Base  Score  is  used  to  calculate  the  Temporal  Score  and  the  Temporal  Score  is  used  to  calculate  the  Environmental  Score. 


Base  Scores 


Tempora! 


Environmental 


10.0-1 

а. o 

б. 0  - 
4.0- 
2.0- 


■h< 


10.0  ■ 

а. o- 

б. 0  ■ 
4.0- 
2.0- 
0.0- 


7.9 


LO.O 


Overall  CVSS  Base  Score 

10.0 


6.S 

Impact  Subscone  9.B 

Exploitability  Subscore  3.2 

CVSS  Temporai  Score  5.6 

CVSS  Environmental  Score  7.9 

Modified  Impact  Subscore  10 

Overall  CVSS  Score  7.9 

Show  Equations 


Temporal 


Environ  mental  Modified  Impact 


Overa?l 


I  * 


CVSS  v2  Vector  fAV:A/ACtHMu:N/C:P/I:aA:C/E:F/RL:T/RC:C/CDP:HrrD:H/CR:M/IR:H/AR:H1 
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2002 


http://www.afhso.af.mil/shared/media/photodb/photos/110802-D-LN615-001.jpg 
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CVSS  v2  2002 


Temporal  Score  Metrics 


Exploitability  (E) 

Not  Defined  (E:ND] 

Unproven  that  eicpEolit  exists  [E;U) 

Proof  of  conoept  code  {E:POC} 

Ftinctlonal  exploit  exists  (E:F) 

High  IE:H) 


Remediation  L 

■  ■'“1  (riL^  1 

1 

Not  Defined  (RL 

Official  fix  (RL;OF> 

Temp 

Irary  fix  [RL:T) 

Workaround  (RL:W] 

ynavailable  (RLiU] 

Not  Defined  (RC:N  D] 

Unconfirmed  {RCzUC) 

UncorrobDrated  [RC;UR] 

Confirmed  (RC:C) 

Common  Vulnerability  Scoring  System  Version  2  Caiculator 

Ttiis  page  shows  the  components  oF  the  CVSS  score  for  example  and  allows  you  to  reRne  the  CVSS  base  score.  Please  read  the  CVSS 
standards  guide  to  fully  understand  how  to  score  CVSS  vulnerabilities  and  to  interpret  CVSS  scores.  The  scores  are  computed  in  sequence 
such  that  the  Base  Score  is  used  to  calculate  the  Temporal  Score  and  the  Temporal  Score  is  used  to  calculate  the  Environmental  Score. 


Base  Scores 


Temporal 


Environmental 


Overall  CVSS  Base  Score 

10,0 


e.o- 

6.0- 

4..0- 

2.0- 

0.0 


:i,s 


6.5 

Impact  Subscore  9.5 

Exp  loitability  Sub  score  3.2 

CVSS  Temporal  Score  5.4 

CVSS  Environmental  Score  7.8 

Modified  Impact  Subscore  10 

Overall  CVSS  Score  7.8 

Show  Equations 


Temporal 


Environmental  Modified  Impact 


Overall 
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2003 


Veterans  of  the  Challenger  experience  say 
that  it  sounds  cautious  and  logical  to  argue 
that  all  potential  causes  of  the  disaster  should 
be  examined  and  eliminated,  one  by  one.  Ron 
D.  Dittemore,  the  shuttle  program  manager, 
made  that  argument  again  today,  saying  that 
phe  would  construct  a  "fault  tree,"  and  that  the 
question  of  whether  insulating  foam  fatally 
damaged  the  heat-shedding  tiles  would  be 
one  branch  of  that  tree. 


. .  .would  construct  a  "fault  tree," 
and  that  the  question  of  whether 
insulating  foam  fatally  damaged 
the  heat-shedding  tiles  would  be  j 
one  branch  of  that  tree^ 

t.  -  ■  .  i  'fjjC. 


http://www.nytimes.eom/2003/02/07/us/loss-shuttle-searcfi.-for- 

answers-learning-lessons-challenger-inquiry.html 


http://static.ddmcdn.com/gif/shuttle-columbia-launch-660x433-1 30201-1  .jpg 
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2009:  NASA  on  Fault  Tree  Analysis 


Fault  Tree  Analysis  (FTA)  is  one  of  the  most 
important  logic  and  probabilistic  techniques  used 
in  Probability  Risk  Assessment  (PRA)  and  system 
reliability  assessment  today.  PRA  and  its  underlying 
techniques,  including  FTA,  has  become  a  useful  and 
respected  methodology  for  safety  assessment. 
Because  of  its  logical,  systematic  and  comprehensive 
approach,  PRA  and  FTA  have  been  repeatedly 
proven  capable  of  uncovering  design  and 
operational  weaknesses  that  escaped  even  some 
of  the  best  deterministic  safety  and  engineering 

O  http://www.hq.nasa.gov/office/codeq/software/ComplexElectronics/techniques/ 

fault-tree.htm 
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2012:  MS  Blog  on  Attack  Tree  Analysis 


“The  problem  is  that  attack  trees  quickly  became 
rather  complex.  A  full  attack  tree  often  has  hundreds 
of  different  paths  you  can  take,  making  it  difficult  to 
follow  visually.  Determining  the  classification  of  a 
threat  from  attack  trees  is  also  far  too  labor- 
intensive...  While  the  concept  of  attack  trees  is 
sound,  the  application  of  this  approach  is  far  from  it.” 

The  Evolution  of  Elevation:  Threat  Modeling  in  a  Microsoft  World 

•  January  17,  2012,  Dana  Epp,  Microsoft  MVP  -  Enterprise  and  Developer  Security 
http://technet.nnicrosoft.com/en-us/security/hh778966.aspx 
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Vulnerability  Discovery 
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Reality 

Vuls 

found 

here 


Build  security  in? 


At  what  stage  in  the  process  should  the  Flat  Iron 
Building  developers  have  incorporated  defenses 
against  500+mph  airplanes  filled  with  jet  fuel? 


How  harshly  should  we  judge  those  who  declined  to 
defend  against  threats  that  science  fiction  had  barely 
begun  to  explore  when  the  system  was  deployed? 
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Vulnerabilities  can  arise  because  the  world  changes 
around  the  system... 

...even  if  the  system  itself  remains  unchanged. 
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2014 


The  trendline  in  the  count  of  critical  monocultures 
seems  to  be  rising  and  most  of  these  are  embedded 
systems  both  without  a  remote  management 
interface  and  long  lived.  That  combination  --  long 
lived  and  not  reachable  --  is  the  trend  that  must  be 
dealt  with,  possibly  even  reversed. 

•  Dan  Geer,  speaking  @  NSA  on  3/26/14 
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http://geer.tinho.net/geer.nsa.26iii14.txt 


Points  to  ponder 


How  long  will  your  next  refrigerator  last? 


How  about  your  next  car? 


entune 

App  Suite 

T0  Tiair3ca'ft 

ro  maJlw  wtm  y«j  ar^. 


ene«*i 


What  ti  Entufiv'  liHhrpfwfTfl 

App  Sirtit  KmHMmt? 


entiiri£f 


http://www.toyota.com/entune/entune-app-suite/prius/ 
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Points  to  ponder 


How  about  your  light  bulbs? 


What's  In  the  Box 

Three  hue  light  bulbs'  wireless  bridge;  power  adapter;  2-meter  Ethernet  netwoi 

Specifications 


Concentrate 

Bulbs 

Light  output 
Lumen  output 

Bridge 

Startup 


d  and  alert 

15,000  hours  of  lifetime  use 
t  (no  external  dimmer) 


Tested  in  schools  to  a  tone  and  brightness  that'll  keep  you  1 
E26  contact  medium  screw  base  fitting,  9  watts;  A19  form  1 
16  million  colors;  all  shades  of  white;  dimming  via  RF  to  5  | 

600  Im  @  4000K;  510  Im  @  3000K;  360  Im  @  2000K;  550 
efficacy  P  4000 K 

Supports  50  bulbs  per  bridge;  ZigBee  LightLink  Protocol  1.0;  2400  -  2403.5  MHz  frequency 
band;  desktop  or  wall  mount;  measures  3.93  Inches  in  diameter  and  0.98  inches  tall 

Less  than  2  seconds  from  AC  power;  less  than  0.5  seconds  from  standby 


1 

D.T9  1 

1  Warranty 

2  years  I 
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1 5, 000^r5 
4hrs  /  day 


1 0  years 


Points  to  ponder 

How  long  will  you  be  able  to  get  patches  for  them? 
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Points  to  ponder 


Defense  mechanisms 

•  Field  upgradability 

•  Layered  defenses 

•  Planned  obsolescence 

•  Read  more  Science  Fiction 

Design  for  adaptability  to  environments  that  become 
more  hostile  over  time 


Threat  modeling  and  attack  tree  analysis  still  have  a 
lot  to  learn  from  safety  analysis,  incl.  fault  trees 
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2014 


CMU  SEI  CERTDfvtekm 


Software  Engineering  Institute  |  Came^ic  Mellon  Unh’cniity 
Work  Areas  ▼  Engage  with  Us  Pnoducts  Services  ▼  Lfbrary  ▼  News  Careers  About  Us  ^ 


Home  >  Software  Architecture  >  Tools  &  Methods  >  Analyzing  the  Architecture 


Overview 


Analyzing  the  Architecture 


Getting  Started 


Research 


System  Analysis 


Toots  a  Methods 


Establishing  Requirements 
Defining  an  Architecture 
Evaluating  the  Architecture 


During  its  research  projects,  the  Software  Engineering  Institute  has  developed  several  tools  for 
system  design,  analysis  and  validation.  Among  them  several  tools  were  designed  for  analyzing 
performance  criteria,  such  as  latency  or  bus  load.  Other  analysis  are  specific  to  the  avionics 
domain,  such  as  the  ARIIMG653  validation  framework  that  aims  at  validating  system  properties 
related  to  avionics  system  {space  isolation  across  partitions,  validation  of  system  configuration, 
analysis  of  partition  communication  policy,  etc.). 
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Documenting  the 
Architecture 

Analyzing  the  Architectui 

SMART  Materials 
Hard  Choices  Board  Garni 
Consulting 
Case  Studies 
Our  People 


Safety  Analysis 


Recent  focus  of  the  SEI  work  has  been  on  tools  for  analyzing  system  safety  in  support  of  industry 
practice  standards  {such  as  SAE  ARP4761).  Support  includes  Functional  Hazard  Assessment 
(FHA),  Failure  Mode  and  Effect  Analysis  (FMEA),  Fault  Tree  Analysis  (FTA),  stochastic  Dependency 
Diagram  (DD)  aka.  Reliability  Block  Diagram  (RBD)  and  Markov  Chain  analysis.  Automation  of 
these  currently  largely  manual  practices  allow  for  repeated  analysis  and  trade  studies  of  design 
alternatives. 


Open  Source  AADL  Tool  Environment  (OSATE) 


The  Open  Source  AADL  Tool  Environment  is  an  Eclipse- based  modeling  framework  for  using 
AADL.  It  brings  AADL  support  within  the  Eclipse  environment  so  that  architecture  practitioners 
can  write  their  models  usina  the  AADL  textual  svntax.  Users  can  also  visualize  thdr  model  usino 
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Related  work  at  CERT 


Systemic  Vulnerability  Program  (ongoing) 

•  Extend  focus  from  vulnerabilities  within  a  single  application  or 
program  to  encompass  those  that  may  affect  a  wide  range  of 
applications,  networks,  and  systems. 

—  Emerging  domain  outreach,  tool  development. 

—Supply  chain  vulnerabilities  (CRDb) 


Vulnerability  Discovery  Research  (ongoing) 

Extending  AADL  for  Security  Design  Assurance  of 
the  Internet  of  Things  Research  (2014-2015) 


'CERT 


Software  Engineering  Institute 


( 41 1'l  if "  A  h'l  IcH  1 1.  n  i 


65 


This  talk  inspired  by... 


KC-135S  from  the  171^*  Air  Refueling  Wing  often  circle  the^ 
Pittsburgh  area.  From  the  perspectivg^^f  my  offic^^itCMit 
iooking  out  at  the  view  seen  hece^the  piaaes  u^Lpalllv  flyi 
right  above  or  behind  the  Cathedral  of JLearning. 

Construction  of  the  Cathedral  of  Learning  was  started  in  .^ 
1926.  The  KC-135  didn’t  enter  service  until  1957. 

Why  didn’t  Pitt  address  this  vuinerabiiity  in  design? 


http://www.wingsoverpittsburgh.eom/Airshow2010/pics/Kc135FlyingDirty.jpg 
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"What  are  you  going  to 
make  your  future  of,  for  all 
your  airs?"  And  then  I 
suppose  I  shall  return  to 
crane  my  neck  at  the  Flat- 
Iron  Building  or  the  Times 
sky  scraper,  and  ask  all 
that  too,  an  identical 
question. 

H.G.  Wells,  1906 


http://archive.org/stream/hgwellsfutureOOwellrich/hgwellsfutureOOwellrich_djvu.txt 


Google  Maps  Street  View,  2014 
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